BID:1401

glftpd privpath Directive Vulnerability

Info

glftpd privpath Directive Vulnerability

Bugtraq ID:	1401
Class:	Access Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Jun 26 2000 12:00AM
Updated:	Jun 26 2000 12:00AM
Credit:	This vulnerability was posted to the Bugtraq mailing list on June 26, 2000 by Raymond Dijkxhoorn <[email protected]>
Vulnerable:	GlFtpd GlFtpd 1.21 b8 GlFtpd GlFtpd 1.21 b7 GlFtpd GlFtpd 1.21 b6 GlFtpd GlFtpd 1.21 b5 GlFtpd GlFtpd 1.21 b4 GlFtpd GlFtpd 1.21 b3 GlFtpd GlFtpd 1.21 b2 GlFtpd GlFtpd 1.21 b1 GlFtpd GlFtpd 1.20 GlFtpd GlFtpd 1.19 GlFtpd GlFtpd 1.18

Not Vulnerable:

Discussion

glftpd privpath Directive Vulnerability

A vulnerability exists in glftpd, versions 1.18 through the latest beta, 1.21b8. The vulnerability exists in the access checking of the privpath directive, when combined with the completion function of glftpd. If the attacker knows the name of a private or group directory on a site, it is possible to access this directory without having the proper access to do so. This could result in sensitive information being downloadable by users not privileged enough to do so.

Exploit / POC

glftpd privpath Directive Vulnerability

From the example posted to Bugtraq:

/Groups/Mygroup and you have a dir named 'test' there.
you can simply jump to it by typing
'chdir /Groups/Mygroup/t'
glftpd does not check if you have the proper rights to see the dir, it just hops in there without any problem. So if you try a-9 on the dirnames you can see all stuff inside a private dir,, takes some time, but with a nice script its not that hard... ;-)

Solution / Fix

glftpd privpath Directive Vulnerability

Solution:
This vulnerability was fixed in version 1.21 of glftpd, avilable at glftpd.deepwell.com

A program to work around this vulnerability is below.

GlFtpd GlFtpd 1.18